Trend Micro Weekly Virus Report - September 19, 2003

*********************************************************************
TREND MICRO WEEKLY VIRUS REPORT
    
(by TrendLabs Global Antivirus and Research Center)
*********************************************************************
------------------------------------------------------------------------
Date: Friday September 19, 2003
------------------------------------------------------------------------
To read an HTML version of this newsletter, go to:
http://www.trendmicro.com/en/security/report/overview.htm

Issue Preview:

1. Trend Micro Updates - Pattern File & Scan Engine Updates
2. No Swan Songs – WORM_SWEN.A (Low Risk)
3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
4. Put Spam Back in the Can – Aberdeen Group Spam Report

NOTE: Long URLs may break into two lines in some mail readers.
Should this occur, please copy and paste the URL into your browser window.

************************************************************************

1. Trend Micro Updates - Pattern File & Scan Engine Updates
------------------------------------------------------------------------
PATTERN FILE: 636 http://www.trendmicro.com/download/pattern.asp

NOTE: PATTERN FILE SERVICE PACK AVAILABLE FOR TREND MICRO CUSTOMERS AT:
http://www.trendmicro.com/en/support/ausp/overview.htm
 
SCAN ENGINE: 6.510 http://www.trendmicro.com/download/engine.asp

2. No Swan Songs – WORM_SWEN.A (Low Risk)
------------------------------------------------------------------------
WORM_SWEN.A is a non-destructive, mass-mailing worm that poses as a
legitimate email from Microsoft Windows Update. In addition to its mass-
mailing routine, it attempts to propagate via peer-to-peer (P2P) file-
sharing networks (such as Kazaa), via IRC, and via newsgroups. WORM_SWEN.A
also terminates antivirus and firewall software running on an infected
system. This malware runs on Windows 95, 98, NT, ME, 2000, and XP.

Upon execution, the worm displays a fake error message box to disguise
itself as a MAPI32 Execution Error. This requires users to input details
of their email account, such as:
-email address
-username
-Password
-SMTP server
-POP3 server

The worm then searches for the Windows directory and drops a copy of
itself with a random file name in the %Windows% folder. It also creates a
registry entry that allows it to run at every Windows startup. The executed
malware then transfers execution to the dropped copy of the worm, and
terminates.

The following files are also dropped by the worm in the Windows directory:
<computer name>.bat
<random name>.<random extension>
germs0.dbv
germs1.dbv
swen1.dat

This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to
propagate via email. It obtains its target email addresses from .EML,
.WAB, .DBX, and .MBX files in all directories of the infected system.
When sending the email message, it connects to the default SMTP server
of the infected machine.

Following are the characteristics of the infected email:

From: ms inet mail storage service [webdaemon@freemail.com]
To: network receiver
Subject: <none>
Message Body: Hi.
Undeliverable message to <user>@freemail.com
Attachment: <random name>.exe

Using its own SMTP engine, the malware also connects to any of several
Network News Transfer Protocol (NNTP) servers where it searches for its
target contacts.

The worm also attempts to drop copies of itself in a shared folder over
peer-to-peer (P2P) file-sharing networks, with file names that use a
combination of strings hard-coded in its body. It modifies registry entries
to allow copies of itself to be shared in the Kazaa network.

WORM_SWEN.A attempts to propagate via mIRC application as well. It first
searches for the mIRC installation directory and locates the SCRIPT.INI file.
If the worm finds this file, it overwrites it with its own version of the
SCRIPT.INI file. However, if the file does not exist, it creates this
SCRIPT.INI file in the mIRC folder. The worm also attempts to drop copies of
itself in all mapped Startup folders in network drives.

The worm terminates antivirus and firewall software that is running on an
infected system.

If you would like to scan your computer for WORM_SWEN.A or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_SWEN.A is detected and cleaned by Trend Micro pattern file #635 and
above.

For additional information about WORM_SWEN.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A

3. 10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US
(week of: September 8, 2003 to September 14, 2003)
------------------------------------------------------------------------
1. WORM_SPYBOT.GEN
2. WORM_MSBLAST.D
3. JAVA_BYTVERIFY.A
4. WORM_MIMAIL.A
5. WORM_SOBIG.F
6. PE_NIMDA.E
7. BKDR_COREFLOOD.A
8. WORM_KLEZ.H
9. PE_PARITE.B
10. ADW_TENGET.A
        
4. Put Spam Back in the Can – Aberdeen Group Spam Report
------------------------------------------------------------------------
Spam has shifted from being a nuisance for email users to a drain on
enterprise resources, and a covert channel for delivering hostile mobile
code into the enterprise. And, as recent events have shown, virus writers
are now adopting methods used by commercial spammers, giving spam what
appears to be a decidedly dangerous alter ego. Spam prevention is now a
necessity rather than a luxury.

Read Aberdeen Group’s White Paper on how Trend Micro puts spam back in
the can:
http://www.trendmicro.com/en/products/gateway/spam/evaluate/white-papers.htm

***********************************************************************************

______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).

If you prefer not to receive future e-mail from Trend Micro's Newsletters Editor:
    
R2pkNlyLihkm_C_UC

To view our permission marketing policy:
    http://www.rsvp0.net
Received on Fri Sep 19 23:04:16 2003